From: mgrepl@redhat.com (Miroslav Grepl) Date: Mon, 3 Aug 2015 15:34:30 +0200 Subject: [refpolicy] kdbus support In-Reply-To: <55BF6C54.9070806@tycho.nsa.gov> References: <55BF5F1B.1010002@redhat.com> <55BF6C54.9070806@tycho.nsa.gov> Message-ID: <55BF6DE6.2070805@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/03/2015 03:27 PM, Stephen Smalley wrote: > On 08/03/2015 08:31 AM, Miroslav Grepl wrote: >> I am working on kdbus support on Fedora 24. Basically we need to add >> support for >> >> /sys/fs/kdbus >> >> and I am thinking about correct labeling. Something like >> >> +type kdbusfs_t; >> +fs_type(kdbusfs_t) >> +files_mountpoint(kdbusfs_t) >> +dev_associate_sysfs(kdbusfs_t) >> +genfscon kdbusfs / gen_context(system_u:object_r:kdbusfs_t,s0) >> >> What do you think about kdbusfs_t label? > > Until kdbus has LSM hooks, it should not be accessible by anything. > Otherwise, it is a completely uncontrolled IPC mechanism by which > anything is free to violate policy on the system. > > Yes, just wanted to test it and see lot of CAP_IPC_OWNER. -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc.